GLBA Safeguards Rule 2023 Amendments: What Financial Institutions Must Do

The Safeguards Rule, Substantially Updated

The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule has required financial institutions to maintain an information security program since 2003. For two decades the rule was high-level: identify risks, develop and implement safeguards, oversee service providers, evaluate and adjust the program. The vagueness was intentional — the rule was designed to be flexible across the spectrum of "financial institutions" the FTC oversees under GLBA.

In October 2021 the FTC announced substantial amendments, with effective dates in 2022 and an extended deadline for several specific provisions to June 9, 2023. The 2023 amendments are now the operative requirements, and the change is significant. The amended rule prescribes specific technical and administrative controls, requires a designated Qualified Individual to oversee the program, expands the definition of financial institution, and adds an annual reporting obligation to the board.

For institutions previously operating against the high-level original Safeguards Rule, the amendments are a structural lift, not a cosmetic update.

Who the Safeguards Rule Covers

The Safeguards Rule applies to financial institutions over which the FTC has jurisdiction. The amended rule expanded the definition of "financial institution" to include entities engaged in activities incidental to financial activities, which broadened the scope substantially.

Covered entities include:

Banks and credit unions (overseen by their primary banking regulators, with comparable rules)

Mortgage brokers and lenders

Tax preparers

Payday lenders

Check cashers

Auto dealers offering financing

Real estate appraisers

Investment advisors not registered with the SEC

Wire transfer services

Collection agencies

Higher education institutions that participate in financial aid programs

Many other entities that handle customer financial information

The higher education inclusion is meaningful: colleges and universities receiving Title IV student financial aid are GLBA financial institutions for purposes of the Safeguards Rule. This added an entire sector to active Safeguards Rule compliance.

The expansion under the amendments meant that thousands of entities not previously focused on GLBA compliance found themselves in scope.

What the Amendments Added

The 2023 amendments introduced specific requirements where the original rule was high-level. The major additions:

A Qualified Individual. Each financial institution must designate a Qualified Individual to oversee, implement, and enforce the information security program. The Qualified Individual is named, has authority, and reports to the institution's board or governing body. This is a personnel requirement that did not exist in the original rule.

Specific technical controls. Where the original rule referenced safeguards generally, the amendments name specific controls:

Access controls including multifactor authentication

Inventory of data and systems

Encryption of customer information in transit and at rest

Secure development practices for in-house applications

Multi-factor authentication for any individual accessing customer information

Procedures for secure disposal of customer information

Change management procedures

Monitoring and logging activity of authorized users to detect unauthorized access or activity

Regular vulnerability assessments and penetration testing

Continuous monitoring or annual penetration testing combined with biannual vulnerability assessments. Institutions must either operate continuous monitoring sufficient to detect unauthorized activity or, in its absence, conduct annual penetration tests and biannual vulnerability assessments.

Incident response plan. A written incident response plan with named roles, communication protocols, and processes for documenting incidents.

Board-level reporting. The Qualified Individual must report at least annually to the board (or senior leadership where there is no board) on the overall status of the information security program and material risks.

Service provider oversight. Continued and enhanced obligations to select service providers capable of maintaining appropriate safeguards, contractually require those safeguards, and periodically reassess.

Training. Security awareness training for personnel with access to customer information, including specialized training where appropriate.

The Annual Board Report Obligation

The board reporting requirement deserves specific attention. The Qualified Individual must prepare a written report covering at least the following:

1. Overall status of the information security program and compliance with the Safeguards Rule

2. Material matters related to the program, including risk assessment, risk management decisions, service provider arrangements, results of testing, security events and management responses, and recommendations for changes to the program

The report goes to the board of directors or other governing body. Where there is no board, it goes to a senior officer responsible for the institution's information security program.

The implication is that the program needs to produce evidence the board can consume. Generic claims of compliance are insufficient; the report must reflect concrete program execution, testing results, incidents, and recommendations.

Specific Technical Controls in Detail

Several of the named technical controls have implementation depth worth examining:

Multi-factor authentication. Required for any individual accessing any information system that contains customer information. The MFA scope is broad: it applies to internal employees, contractors, and third parties. Approved MFA methods include knowledge factors plus inherence or possession factors. The rule allows reasonable equivalent alternatives where MFA is infeasible, but the burden of demonstrating equivalence is on the institution.

Encryption in transit and at rest. Customer information must be encrypted both during transmission and while at rest, except where the Qualified Individual approves a compensating control after determining encryption is infeasible. Approved alternative compensating controls must be documented.

Inventory of data and systems. The institution must identify and manage the data, personnel, devices, systems, and facilities that enable the institution to achieve its business purposes. This is the asset and data inventory that grounds the rest of the program.

Continuous monitoring or scheduled testing. Either continuous monitoring sufficient to detect changes in information systems that may create vulnerabilities, OR annual penetration testing combined with biannual vulnerability assessments. Continuous monitoring is the increasingly preferred path because the alternative produces less defensible coverage of the rapidly changing modern threat surface.

Secure development practices. Where the institution develops its own applications, secure development practices must be in place. This includes secure coding standards, code review, vulnerability testing of applications, and secure handling of credentials in code.

Change management. Procedures for evaluating, testing, approving, and tracking changes to information systems. The procedures must address security impact assessment as part of change control.

Common Gaps in 2023 Amendment Compliance

Across institutions transitioning to the amended rule, recurring gaps:

MFA scope underestimation. Institutions implement MFA for employees but miss contractors, third-party access, and access to specific systems. The rule's scope is "any individual accessing any information system that contains customer information," which is broader than typical interpretations.

Encryption inventory incomplete. Institutions encrypt the obvious data stores but miss backups, intermediate processing systems, mobile devices, and email attachments containing customer information. The full data flow must be encrypted, not just the primary repository.

Inventory of data and systems is informal or incomplete. Institutions have CMDBs for IT systems but lack a data inventory that identifies where customer information actually resides. The inventory must support the rest of the program.

Continuous monitoring claimed but not implemented. Institutions choose the continuous monitoring path but operate it as periodic scanning rather than continuous detection. Monthly scans are not continuous monitoring.

Service provider oversight superficial. Vendor security questionnaires are sent at onboarding but never refreshed. Service providers with material customer information exposure are not subject to ongoing oversight.

Annual board report incomplete. The annual report is prepared but lacks specificity: it claims compliance without evidence, omits incident discussion, omits testing results, or fails to identify recommendations.

Incident response plan is generic. A written plan exists but has not been tested, lacks named roles, or fails to address the specific incident types most likely for the institution.

How Continuous Compliance Operationalizes the Amendments

The amended rule's technical controls map directly to configuration and monitoring practices that continuous CIS benchmark scanning evaluates:

MFA enforcement: account configuration evaluation across platforms

Encryption in transit: TLS configuration evaluation, deprecated protocol disable

Encryption at rest: disk encryption configuration on Windows, Linux, cloud volumes

Access controls: account management, privilege restriction, RBAC configuration

Change management: configuration baseline enforcement with drift detection

Continuous monitoring: per-asset scanning at defined cadence with regression tracking

Logging: audit policy configuration, log retention enforcement

For the technical safeguards categories, a continuous CIS benchmark scanning program produces the evidence the rule expects, with the timestamp discipline necessary for board reporting and regulatory inquiry.

Integration with Other Financial Regulations

GLBA Safeguards Rule applies to FTC-jurisdiction financial institutions. Banks and credit unions are primarily overseen by their primary regulators (OCC, FDIC, Federal Reserve, NCUA) who have their own information security guidance. Many institutions operate against multiple overlapping regimes:

GLBA Safeguards Rule (FTC)

FFIEC IT Examination Handbook (federal banking regulators)

NYDFS 23 NYCRR 500 (New York-licensed financial institutions)

SEC Regulation S-P (broker-dealers, investment advisors)

State financial institution data security laws

The amended Safeguards Rule's specific technical controls overlap substantially with NYDFS 23 NYCRR 500 and FFIEC expectations. An institution operating against all three can typically run a single technical program that satisfies all three through differentiated reporting rather than differentiated controls.

How CISGuard Supports GLBA Safeguards Programs

CISGuard's continuous CIS benchmark scanning produces direct evidence for the technical controls the amended Safeguards Rule requires:

22 CIS benchmarks covering the platforms most customer information lives on (Windows, Linux, cloud, M365, Kubernetes)

MFA, access control, encryption, and logging evaluation in every scan

Continuous drift detection demonstrating that technical safeguards remain enforced

Multi-framework mapping showing simultaneous coverage of GLBA, NYDFS 23 NYCRR 500, SOC 2, and other applicable frameworks

Board-ready reporting with executive summaries, framework coverage, trending, and material findings suitable for inclusion in the annual board report

Immutable audit trail of every scan, drift event, exception, and remediation

See GLBA-aligned features in CISGuard or request a Safeguards Rule readiness review.